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Abstract 

Cryptographic protocols are the cornerstone of security in distributed 
systems. The formal analysis of their properties is accordingly one of the 
focus points of the security community, and is usually split among two 
groups. In the first group, one focuses on trace-based security properties 
such as confidentiality and authentication, and provides decision proce- 
dures for the existence of attacks for an on-line attackers. In the second 
group, one focuses on equivalence properties such as privacy and guessing 
attacks, and provides decision procedures for the existence of attacks for 
an offline attacker. In all cases the attacker is modeled by a deduction 
system in which his possible actions are expressed. 

We present in this paper a notion of finitary deduction systems that 
aims at relating both approaches. We prove that for such deduction sys- 
tems, deciding equivalence properties for on-line attackers can be reduced 
to deciding reachability properties in the same setting. 



1 Introduction 

Context. Security protocols, i.e. protocols in which the messages are cryp- 
tographically secured, are a cornerstone of security in distributed applications. 
The need for optimizing resource utilization and their distributed nature make 
their design error prone, and formal methods have been applied successfully to 
detect errors in the past [211 H] . But they are limited in expressiveness since in 
most cases authors either were focused on the resolution of reachability prob- 
lems, or considered models in which the attacker could not interfere with the 
on-going communications among the honest agents. In contrast we consider in 
this paper the general case of equivalence properties w.r.t. an on-line attacker. 

Formal models of cryptographic protocols usually present the reader with a 
dichotomy between the honest agents — translated into a constraint system [SI 
[501 I5T] or a frame [3] — , and the attacker — modeled by a deduction system 
expressing its possible actions. In contrast we have introduced in [15] a notion 
of symbolic derivation that unifies the honest and dishonest agent models: the 
actions of all agents are represented by a sequence of deductions, nonce creation, 
and communication actions. The notion of equivalence considered in this paper 
is the one of symbolic derivations representing honest agents. 
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Intuition. First, a trivial remark: since one can construct deduction systems 
for which reachability is decidable but static equivalence is not, it is clear that 
generally speaking being able to decide reachability does not imply being able to 
decide symbolic equivalence. However, in most cases, one can model reachability 
as the satisfiability of a constraint system, and describe the decision procedure 
using constraint transformation rules. A solved form is defined as a constraint 
system in which the attacker just has to instantiate variables by any term he 
can construct. In practice, the proof of completeness of the procedure consists 
in assuming the existence of a sequence of deduction steps that satisfies the 
constraint system, and in proving that as long as one such sequence exists, 
either the constraint system is in solved form or there exists a transformation 
rule applicable on the constraint system. Then, an argument is given to prove 
that there is no infinite sequence of transformations. Using Konig's lemma, 
the finiteness (also to be proved) of the number of possible successors of each 
constraint system implies termination of the procedure. 

Our motivation was that such procedures actually do much more than simply 
deciding reachability, as they end with a set of constraint systems in solved form 
that, as long as the completeness proof is along the lines given above, cover all 
possible attacks. Formalizing this argument is however not trivial, since 

• not all instances of the variables occurring in a constraint system in solved 
form correspond to attacks; and 

• when testing the equivalence of two protocols, we have to take into account 
the equality tests the attacker can perform to analyze the responses of the 
honest agents. 

We have bypassed the first difficulty by imposing that the attacker instantiates 
the first-order variables in a constraint system in solved form with constants, 
and proved that replacing these constants by any possible construction yields 
another attacks. This replacement is formalized by on ordering on the attacks, 
the attacks corresponding to solved forms being the minimal ones. Finitary de- 
duction systems are those for which the set of minimal attacks is always finite. 
The second difficulty is solved by first proving that it suffices to consider an 
attacker that performs at most one test, and then proving that this test can be 
guessed before the computation of solved forms. Finally and implementation- 
wise, we consider effective finitary deduction system, for which we assume that 
this finite set is computable. 

Applications. The symbolic equivalence notion we consider in this paper has 
three straightforward applications, related respectively to on-line guessing at- 
tacks, to proving cryptographic properties in a symbolic setting, and to privacy. 
We have proved, in collaboration with M. Rusinowitch [19] that every proto- 
col narration (for any deduction system) can be compiled into an active frame, 
which is a simplified form of symbolic derivations with a total ordering on states 
and no intermediate computations between communications. 



2 



Guessing attacks. Introduced by Schneier [53] under the name of dictionary 
attacks, they consist in guessing a secret piece of data, and then being able 
to check whether the guess is correct. They can be offline, in which case the 
attacker observes interactions between honest participants and has to decide 
whether the guessed piece of data has been employed, or on-line, in which case 
the intruder can interact with the honest participants. 

Guessing attacks have been formalized thanks to the concept of indistin- 
guishability (see e.g. 0). We can say now that a protocol is vulnerable to 
undetectable on-line guessing attacks whenever (i) the honest agents cannot 
distinguish between a session with the right piece of data and one involving a 
wrong guess, whereas (ii) the intruder can distinguish the two executions. We 
model the first point by stating that the tests performed by the honest agents 
succeed in both cases, and the second point by saying that the two executions 
are not equivalent. 

Cryptographic properties. A line of works initiated by 4 showed that com- 
putational proofs of indistinguishability ensuring the security of a protocol can 
be derived, under some natural hypothesis on cryptographic primitives, from 
symbolic equivalence proofs. This has opened the path to the automation of 
computational proofs. It was shown by |20| that in presence of an active at- 
tacker observational equivalence of the symbolic processes can be transferred to 
the computational level. 

Privacy. Symbolic equivalence is a crucial notion for specifying security 
properties such as anonymity or secrecy of a ballot in vote protocols [22] . More 
generally, the analysis of privacy, e.g. client's identity in an anonymization 
protocol such as IDEMIX [32] [13] , in communication protocols is inherently an 
equivalence problem. One has to prove that a protocol preserves the strong 
secrecy of an attribute, i.e. that an observer cannot distinguish the execution 
of a protocol transmitting this attribute's value, be it a vote or her identity, 
from one in which a random piece of data is exchanged. 

Related works. We believe that Mathieu Baudet's modeling of attacks by 
instantiation of second-order variables [5] is the real breakthrough that enabled 
the formal analysis of the equivalence problem in the on-line attacker setting. 
Indeed, it was the first-time that the actions of the attacker were represented 
explicitly in solutions, instead of just keeping track (with a substitution on the 
first-order variables of the constraint system) of their interaction with the honest 
participants. 

In collaboration with M. Rusinowitch [19] we have given another proof of 
Baudet's result in the setting of symbolic derivations. We believe that this 
setting is more complex but introduces a langage fit to prove decidability and 
complexity results. Also it possesses a symmetry between honest participants 
and the attacker that permits to greatly simplify otherwise redundant proofs. 
We consider in this paper a setting in which the actions of the honest agents 
are represented by one Honest symbolic derivation (HSD) and those of a unique 
intruder by one Attacker Symbolic Derivation (ASD). Symbolic derivations can 
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be seen as standing between symbolic traces [S] and the simple cryptographic 
processes of [21] : the sequence of messages is not totally ordered as it is the case 
in [5], but there is no branching but for termination on error nor any recursive 
process. 

Few decidability results are available. In the article [26j Hiittel proves de- 
cidability for a fragment of the spi-calculus without recursion for framed bisimi- 
larity. Since, the only original decidability result on the equivalence of symbolic 
traced we are aware of is for the class of subterm deduction systems and was 
given by M. Baudet [SI [H]- We have recently given another proof of this re- 
sult [18) . on which this paper elaborates. Implementation- wise, an efficient 
procedure is presented in |14j in which one considers only the Dolev-Yao deduc- 
tion system. In spite of the relevance of this problem, we are not aware of any 
extension of Baudet's decidability results to other classes of deduction systems. 

In [32 the authors consider, as Hiittel [SS], the same problem in the simpler 
case of the standard Dolev-Yao syntactic deduction system (with no equational 
theory). They employ the notion of solved form as introduced in [S], and more 
specifically that solved forms cover all possible attacks. The existence of such a 
finite set of solved forms corresponds exactly to our notion of finitary deduction 
system. 

However, we note that their setting enforces a strict separation between the 
values of the first order variables and the observer process. This has in our 
opinion two negative side-effects. First, it is well-known that not all instances 
of the first-order substitutions constructed are instances of attacks. Second, 
given that the authors of [S^ only keep track of the constraints that remain to 
be solved, the attacks themselves are not represented explicitly in the solution. 
Hence it is not possible to reason on all first-order instances of a solved form 
(since they are not all attacks) nor on the observer processes (since only their 
interaction with the processes under scrutiny is recorded). This is the reason 
why we believe that the symbolic derivation setting adopted in this paper, while 
more cumbersome at first, is better suited to reason on sets of solutions, and 
therefore on process equivalence. 

Many works have been dedicated to proving correctness properties of cryp- 
tographic protocols using equivalences on process calculi. In particular framed 
bisimilarity has been introduced by Abadi and Gordon [3] for this purpose, for 
the spi-calculus. Another approach that circumvents the context quantification 
problem is presented in [12] where labeled transition systems are constrained 
by the knowledge the environment has of names and keys. This approach allows 
for more direct proofs of equivalence. 

In [21] the authors show how to apply the result by Baudet on S-equivalence 
to derive a decision procedure for symbolic equivalence for subterm convergent 
theories for simple processes. Since |21j relies on the proof of Baudet's result, 
that is long and difficult [3] , we believe that providing a simple criterion will be 
useful to derive other decidability results in process algebras. 

restriction of symbolic equivalence in which the actions of all the honest agents are 
totally ordered. 
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To the best of our knowledge, the only tool (besides [2]) capable of verifying 
equivalence-based secrecy is the resolution-based algorithm of ProVerif [TOl that 
has been extended for handling equivalences of processes that differ only in 
the choice of some terms in the context of the applied 7r-calculus [TT]. This 
allows to add some equational theories for modeling properties of the underlying 
cryptographic primitives. 

Example finitary deduction systems. We remark that the standard Dolev- 
Yao deduction system [24 is finitary, since for every attack one can guess a 
subsequence of deduction steps which is itself an attack [TB]. In this regard, 
this work extends [35] to other deduction systems such as subterm deduction 
systems (the proof that from every attack one can guess a sequence of deductions 
bounded by the size of the input protocol is given e.g. in ^28]). We leave 
to future work the extension to contracting saturated deduction systems, also 
defined in [25], 

Organization of this paper. We reuse in this paper the notions and nota- 
tions for terms, equational theories, deduction systems, and symbolic derivations 
introduced in earlier papers (sections 2-3). We give in Section 4 a few properties 
of symbolic derivations, and define finitary deduction systems accordingly. We 
present in Section 5 a sketch of the proof the symbolic equivalence is decidable 
for finitary deduction systems, and conclude in Section 6. This document is 
the version of an article submitted to ACM CCS 2011 with the addition of the 
proofs of all statements. 

2 Formal setting 
2.1 Term algebra 

We consider a countable set of free constants C, a countable set of variables X, 
and a signature (i.e. a set of function symbols with arities). We denote by 
T{T) (resp. TiT,X) ) the set of terms over T U C (resp. TUCU X). The 
former is called the set of ground terms over J^, while the latter is simply called 
the set of terms over T. Variables are denoted by x, y, terms are denoted by 
s,t,u,v, . . and decorations thereof, respectively. 

A constant is either a free constant in C or a function symbol of arity 0. 
Given a term t we denote by Var(t) the set of variables occurring in t and 
by Const (i) the set of constants occurring in t. We denote by atoms (t) the 
set Var(f) U Const (t). We denote by A the set of all constants and variables. 
A substitution a is an idempotent mapping from X to 'T{T, X) such that 
Supp((t) = {x\u(x) ^ x], the support of a, is a finite set. The application of 
a substitution cr to a term t is denoted ta and is equal to the term t where all 
variables x have been replaced by the term xu. A substitution cr is ground w.r.t. 

if the image of Supp((T) is included in T{J-). 
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The set of the subterms of a term denoted Sub(t), is defined inductively 
as follows. If t is a constant or a variable then Sub(t) = {t}. Otherwise, t 
must be of the form f{ti, . . . ,i„), and we define Sub(i) = {t} U lj"=i Sub(ii). 
The positions in a term t are defined recursively as usual {i.e. as sequences 
of integers), e being the empty sequence. We denote by t^p the subterm of t 
at position p. We denote by t\p ■(— s] the term obtained by replacing in t the 
syntactic subterm i|p by s. 

2.2 Equational theories and Unification 

We consider in this paper an equational theory £ that defines a congruence on 
the terms in T{J-,X) . We assume it is consistent, i.e. that it has a model 
with more than one element. Ordered rewriting [23] then permits us to employ 
the unfailing completion procedure of (25j to produce a (possibly infinite) set 
of equations for which ordered rewriting is convergent on ground terms, its o- 
completion. In turn, this convergence permits us to constructively choose one 
element in the congruence class of each ground term t, called its normal form, 
and denoted {t)l. We use in this paper the fact that since ordered rewriting is 
a relation on ground terms, if a term t is ground then the term (i)4 is also a 
ground term. 

This construction relics on the assumption that the ground terms are totally 
ordered by a simplification ordering, and that the minimum for this ordering is 
a free constant Cj^in- 

2.2.1 Unification and equational tiieory type 

Our result on deduction systems may seem vacuous as the definitions — based 
on an ordering on the "attacks" on a protocol — are not constructive. They 
however follow a classical line of definitions in the context of unification and 
equational theories. We present in this subsection these classical notions (and 
refer the reader e.g. to p7] for a more complete overview) in order to hilight 
the similitudes between our definitions and the classical ones for unification. 

Definition 1 (£ -unifiers) Let £ be an equational theory. We say that two terms 
t and s are f -equal, and denote s =£ t, if £ |== t = s. We say that a 
substitution a is a f-unifier of s and t if £ |== ta = sa. 

We say that two terms that have a f -unifier are £ -unifiable. 

We denote ^^(i, t') the set of all unifiers of t and t' . This set is not empty if, 
and only if, t and t' are unifiable. We extend the notion of unifier to conjunctions 
of equations as follows. 

Definition 2 (Unification systems) Let £ be an equational theory. An £-Uni- 

fication system S is a finite set of equations denoted by {ui — „} with 

terms Ui,Vi G T{J-, X). Lt is satisfied by a substitution a, and we note a |= , 
if for all i G {1, . . . , rt} Uia —£ Via. 
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One defines an instantiation ordering on unifiers by setting a <i t when- 
ever there exists a substitution 9 such that a9 =$ r. Equational theories are 
classified [331 w.r.t. the possible cardinalities of complete sets of unifiers. 

Definition 3 (Complete set of unifiers) Let £ be an equational theory and t,t' 
be two terms. We say that a subset S ofT,£{t,t') is a complete set of unifiers of 
t and t' if, for every substitution a G Yj£{t,t') there exists a substitution t € S 
and a substitution such that tO —£ a . 

Or, using the instantiation ordering terminology, a complete set of unifiers is 
a set of minimal unifiers for the instantiation ordering such that every unifier 
is an instance of a unifier in this set. Finally, we define a set of most general 
unifiers to be a minimal set, for standard set inclusion, among the complete sets 
of unifiers. The rationale for this definition is that modulo an equational theory, 
two substitutions may be non-trivial instances one of the other. In this case one 
of the two is redundant and can be removed, hence the following definition. 

Definition 4 (Most general £ -unifiers) Let £ be an equational theory. We call 
a set of most general £-unifiers of t and t' , and denote 'aigng{t,t'), a minimal 
(for set inclusion) complete set of unifiers of two terms t and t' . 

In the rest of this paper, and as long as there is no ambiguity, we simply refer 
to such sets as sets of most general unifiers, or sets of mgu. Also, the notion of 
mgu is extended as usual to unification systems. One proves the next lemma 
by constructing explicitly an injection from each complete set of unifiers to the 
other. 

Lemma 1 Let £ be an equational theory, t, t' be two terms, and S, S' be two sets 
of most general unifiers of t and t' . Then S and S' have the same cardinality. 

The finiteness or even the existence of a minimal complete set of unifiers 
of two terms unifiable modulo £ is not guaranteed. We say that an equational 
theory is finitary whenever, for every two unifiable terms t,t', mgug (t,t') is a 
finite set. 

One important property of unification systems that we shall use in the rest 
of this paper is the following replacement property. 

Lemma 2 For any equational theory £ , if a £ -unification system S is satisfied 
by a substitution a , and c is any free constant in C away from S , then for any 
term t, aSc,t 'is also a solution of S. 

Variables and constants. Using Lemma [2] we can clarify the difference and 
similitudes between variables and free constants. First, a formal point: since 
free constants do not occur in the equations of the equational theory they are not 
among the constants obtained by skolemization. Second, we agree that in the 
resolution procedure [T], variables have a special role whereas by Herbrand's 
theorem we know that it suffices to consider models of a set of clauses with 
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at most one free constant. In spite of this we almost use variables and free 
constants (as in Lemma [2]) interchangeably. 

The rationale is that ordered completion yields a rewriting relation which is 
convergent on ground terms, and thus cannot be employed to normalize terms 
that contain variables. Lemma [5] is thus fundamental since it implies that some 
of the free constants that may appear in an unifier can be replaced, the main 
difference with variables being that if, for a simplification ordering <, we have 
t < t', then for every substitution a we also have ta < t'a, whereas it is not the 
case that for every replacement (5c, s we also have tSc,s < t'Sc,s- 

2.3 Deduction systems 

Our protocol analysis is based on the assumption that all the agents operate 
on messages via a message manipulation library. We consider a signature T 
containing the function symbols employed to denote the messages, with a special 
subset of symbols J-p denoting the functions of the library which can be employed 
by all participants. 

Definition 5 (Deduction systems) A deduction system is defined by a triple 
{£,J-,J-p) where E is an equational presentation on a signature J- and Tp a 
subset of public constructors in T . 

Example 1 For instance the following deduction system models public key cryp- 
tography: 

({decp(encp(a;, y), y~^) = a;}, 
{decp(_,_),encp(_, -),-~^}, 
{decp(_, _),encp(_, _)}) 

The equational theory is reduced here to a single equation that expresses that 
one can decrypt a cipher text when the inverse key is available. 

3 Symbolic derivations 

We present in this section our model for agents. 
3.1 Definitions 

Symbolic derivations. Given a deduction system {T,V,£), a role applies 
public symbols in V to construct a response from its initial knowledge and from 
messages received so far. Additionally, it may test equalities between messages 
to check the well-formedness of a message. Hence the activity of a role can be 
expressed by a fixed symbolic derivation: 

Definition 6 (Symbolic Derivations) A symbolic derivation for a deduction sys- 
tem {F^V^S) is a tuple (V, 5, /C, In, Out) where V is a mapping from a finite 
ordered set (IND, <) to a set of variables Var(V), K. is a set of ground terms 
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(the initial knowledge) In is a subset o/iND, OuT is a multiset of elements of 
Ind and S is a unification system. 

The set Ind represents internal states of the symbolic derivation. We impose 
that any i e Ind is exactly one of the following kind: 

Deduction state: There exists a public symbol f £ V of arity n such that 
V{i) = f{V{ai), . . . ,V{an)) € S with aj < i for j e {1, . . . ,n} . 

Re- use state: if there exists j < i with V{j) = V{i); 

Memory state: if there exists t inK and an equation V{i) =t in S; 
Reception state: ifi£ In; 

Additionally, a state i is also an emission state if i G Out. 

The unification system S contains no equation but those described above 
and equations V{i) = V{j), and the mapping V must be infective on non-re-use 
states. 

A symbolic derivation is closed if it has no reception state. A substitution a 
satisfies a closed symbolic derivation if a \=£ S. 

Wo believe that using symbolic derivations instead of more standard con- 
straint systems permits one to simplify the proofs by having a more homoge- 
neous framework. There is however one drawback to their usage. While most of 
the time it is convenient to have an identification between the order of deduc- 
tion of messages and their send/receive order, building in this identification too 
strictly would prevent us from expressing simple problems. Re-use states are 
employed to reorder the deduced messages to fit an order of sending messages 
which can be different. For example consider an intruder that knows (after re- 
ception) two messages a and b received in that order, and that he has to send 
first b, then a. Since the states in a symbolic derivation have to be ordered, 
we have to use at least one re-use state (for o) to be able to consider a sending 
of a after the sending of b. We note that re-use states that are not employed 
in a connection can be safely eliminated without changing the deductions, the 
definition of the knowledge nor the tests in the unification system. 

With respect to earlier definitions, we have chosen to consider injective 
variable-state mapping functions. The rationale for this choice is essentially 
aesthetic, as using this more strict definition implies that every equality test 

performed by the attacker is an equality V{i) = V(j) in the unification system. 
Not having this restriction would require the introduction of a) an equivalence 
class on ASDs to model the fact that two ASDs can be solutions to exactly 
the same HSDs, and b) the subset of ASDs that have an injective variable-state 
mapping function, and c) the construction, by adding equality tests, for every 
ASD of an equivalent ASD in this subset. 
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Example 2 Let us consider the cryptographic protocol for deduction system TJy 
where J-jy and Vv have been extended by a free public symbol f : 



A^B: enCp(7Va,pk(S)) 
B^A: enCp(/(iVa),pk(A)) 
where 

A knows vl, i?,pk(i?),pk(A),sk(A) 
B knows yl,B,pk(A),pk(B),sk(B) 

Let us define a symbolic derivation for role B: 

iNDs ^ {1,...,9} 
Vb ~ i E Ind Xi 
JCb - {AB,pk(A),pk(B),sk(B)} 
iNs = {6} 
OuTs = {9} 

7 ? ? ? ? 

Sb = {^1 = A,X2= B,X3 = pk(A),.T4 = pk{B),X5 = sk{B) 

7 7 7 

xj = deCp(x6,X5),X8 = f{x7),XQ = cncp(a;8,a;3)} 

The set of deduction states in B is {7,8,9}, there are no re-use state, the set 
of memory states is {1, . . . , 5} and the only reception state is 6. Assuming that 
the role B tests whether the received message is a cipher, one may add a tenth 

7 7 

deduction state with xiq — eiiCp(a;7, 0:4) and an equation x^ = xiq. 
Similarly, a symbolic derivation for role A would be: 



Ind^ ^ 


{1,...,10} 




V = 


i e Ind yi 




JC = 


{A, B, pk{A), pk(B), sk(A), Na} 




In ^ 


{9} 




Out = 


{7} 




S = 


7 7 7 7 

{yi ^ A,y2^ B, ys = pk(A), 2/4 = 


pk(B),y5 = sk{A),ye^Na 




yj = encp(y5, ys), = five), Vio = 


deCp(2/9,y5),yio = t/s} 



The set of deduction states in A is {6,7,9}, there are no re-use state, the set 
of memory states is {0, ... , 5} and the only reception state is 8. We have added 

an equality test yg — yj to model that A checks whether the message received 
actually contains the encryption of f{Na). Generally speaking, if ground reach- 
ability and ground symbolic equivalence for the deduction system are decidable 
( see Section \3.S\) then an as prudent as possible set of deductions and equality 
tests for the narration can be computed (see 1171). 

In addition we assume that two symboHc derivations do not share any vari- 
able, and that equality between symbolic derivations is defined modulo a re- 
naming of variables. The proof of the following lemma is a direct consequence 
of the definition. 
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SD X 



SD y 



SD X 



(a) With a connection, be-(b) After computing the 
fore computing the result-symbolic derivation result- 
ing symbolic derivation ing from the connection 

Figure 1: Honest symbolic derivations of Example [5] with a connection corre- 
sponding to the intended communications and the test equations not shown 

Lemma 3 (Properties of symbolic derivations) Let C = (V, 5, /C, In, Out) be a 
symbolic derivation. We have: 

ft) 

1. For every variable V{i) there is at most one equation in S of the form 
V{i)lf{t,,...,t^); 

2. IfV{i) is a variable such that the above equation is in S, then either a) i 
is a deduction state and i = min(j | V{i) ~ V{i)), or b) i is a re-use state. 

We rely on the normal form defined by the o-completion of the equational 
theory £ to prove that every closed symbolic derivation defines in a unique way 
the terms deduced. 

Lemma 4 Let I be a deduction system, and consider a closed and satisfiable 
I-symbolic derivation C = (V, S, /C, In, Out). Then there exists a unique ground 
substitution a in normal form that satisfies S. 
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Proof. Since the symbolic derivation C = {V,S,IC,lN, Out) is closed is has 
by definition no input states, and thus all states are either knowledge, re-use or 
deduction states. By induction on the set of indexes Ind ordered by < . 

Base case: Assume i is a minimal element in Ind. By minimality i cannot be 
a re-use state. If it is a knowledge state then by definition there exists in 
S an equation V{i) = t, with t a ground term in normal form, and thus 
for every unifier t of S we must have V(i)r = t. If i is a deduction state, 
and since it is minimal, the public symbol employed must be of arity 
and hence is a constant, i.e. again a ground term t. In both cases there 
exists a unique ground substitution a in normal form dehned on {V{i)} 
and such that any unifier of S is an extension of a. 

Induction case: Assume there exists a unique ground substitution a in normal 
form with support: {V(j) \ j < i} such that any unifier ofS is an extension 
of a. If i is a re-use state, we note that V{i) is already in the support 
of a, and we are done. If it is a knowledge state, reasoning as in the 
basic case permits us to extend a to V{i). If it is a deduction state then 

there exists in S an equation V{i) = f{V{ji), . . . , V(j„)) with ji, . . . ,jn < 
i that has to be satisfied by every unifier 9 of S. By induction every 
such unifier has to be equal to a on {V(ji), . . . , V(j„)}- Thus for every 
uniher 9 of S we have V{i)6 —£ f{V{ji)9,...,V{jn)6). By induction 
f{V{ji)9, . . .,V{jn)9) /(V(ji)a, . . . , V(j„)a). Thus, we have V{i)9 = 
{f{V{ji)a, . . . ,V{jn)<j))i and a can be uniquely extended on V{i) with 
V{i)(T = (/(V(ji)CT, . . . , V{jn)<j))i which is again a ground term. 

□ 

By Lemma m if a derivation is closed, then for every i £ Ind the variable 
V(i) is instantiated by a ground term. Figuratively we say that a term t is 
known at step i in a closed symbolic derivation if there exists j < i such that 
V{j) is instantiated by t. 

Ground symbolic derivations. An important case when considering pro- 
tocol refutation is the one in which the attacker cannot alter the messages 
exchanged among the honest participants. This case can either be employed to 
model a weaker attacker or, when trying to refute a cryptographic protocol, by 
guessing first which messages are sent by the attacker, and then by checking 
whether these guesses correspond to messages the attacker can actually send. 

Definition 7 (Ground symbolic derivation) We say that a symbolic derivation 
Ch — (V/i, 5ft, /C/i, iNft, OuT/i) is a ground symbolic derivation whenever Sh is 
satisfiable and there exists a ground substitution a such that, for every unifier 
T of Sh and every i £ Ind^ we have Z)\fi{i)'^ = (*)''"• 

In other words the input and output messages of a ground symbolic deriva- 
tion are fixed ground terms. We note that since Ch is not closed, and in spite 
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of having Sh satisfiable, it is not necessarily true that ^ 0. Also a simple 
analysis of the case study of the proof of Lemma |4] shows that it suffices to 
assume that a is defined only on indexes i G In/j. 

Connection. We express the communication between two agents represented 
each by a symbolic derivation by connecting these symbolic derivations. This 
operation consists in identifying some input variables of one derivation with 
some output variables of the other and contrariwise. This connection should be 
compatible with the variable orderings inherited from each symbolic derivation, 
as detailed in the following definition: 

Definition 8 Let C\, Ci he two symbolic derivations with for i £ {1,2} Ci = 
(Vi, iSi, Al^i, iNi, OuTj), with disjoint sets of variables and index sets (InDi,<i) 
and (InD2,<2) respectively. Let Ii,l2, be subsets of Ini, IN2, and Oi,02 be 
sub-multisets o/OuTi, OUT2 respectively. 

Assume that there is a monotone bijection <p from Ii U I2 to Oi U O2 such 
that = O2 and 4>{L2) = Oi. A connection o/Ci and C2 over the connection 
function (p, denoted Ci C2 is a symbolic derivation 

C = (V, (P{Si U 52), /Ci U ;C2, (iNi U IN2) \ (/i U I2), (OuTi U OUT2) \ (Oi U O2)) 
where: 

• (Ind,<) is defined by: 

- IND = (iNDi \ h) U (IND2 \ L2); 

— < is the transitive closure of the relation: <i U <2; 

• (p is extended to a renaming of variables in Var(Vi) U Var(V2) such that 
mil)) = V2U) (resp. c^{V2ii)) = Vi(j); if i & h (resp. I2) and ^(i) = j 

When the exact connection function in a connection does not matter, is uniquely 
defined, or is described otherwise, we will omit the subscript and denote C10C2. 

A connection is satisfiable if the resulting symbolic derivation is satisfiable. 
It can easily computed, when it exists, by considering increasing sequences of 
states in each symbolic derivation and mapping input states of one SD with 
output states of the other. 

Example 3 Let Ch be the symbolic derivation in Example \^ 



lND,i 


= {0,...,8} 


Vh 


= i G Ind Xi 


ICh 


= {A,i3,pk(A),pk(B),sk(i?)} 




= {5} 


OUT,i 


= {0,...,8,8} 


Sh 


7 ? ? ? ? 

= {xq = A^xi = B, X2 = pk{A),x^ = pk(5), X4 = sk{B) 




'? ? ? 
xe = deCp(a;5,a;4),X7 = f{xe),xs = enCp(a;7, a;2)} 
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We model the initial knowledge of the intruder with another symbolic derivation 



Indx 


= {0^...,3'=} 


Vk 


= i'^ e iNDfc i-> Ui 


K-K 


= {A,B,pk{A),pkiB)} 


Ink 


= 


Ovtk 


= lNT>K 


Sk 


= {yo = A,yi=B,y2=pk{A),y3=pk{B)} 



and we let C be the following derivation: 



Ind' 


= {0',...,8} 


V 


= i' G Ind' h-j- Zi 


K 


= {n} C Cnew 


In' 


= {0',...,3',8'} 


Out' 


= {5'} U Ind' 


S' 


= {z4 ^ n,Z5 = encp(2;4, Z3), 

? ? ? 

Z6 = f{zi), z-j = encp(2;6, ^2), zs = Z7} 



Let (j) be the application from O'^, . . . , 3*^, 5', 8 to 0', ... , 3', 5, 8' respectively and 
ip be a function of empty domain. Then we have {Ch 04, Ck) °<t> C : 

Ind = {0,...,4,0^...,3^5',6',7',6,7,8} 

"•^ = "'^''iInd U Vk|Ind U V'ljf^o 

/C = {A,B,pk(A),pk(B),sk(B),n} 

In = 

Out = Ind n Ind' 

? ? ? ? ? 

S = {xo = A,xi = B^X2 = pk(A),X3 = pk(^),X4 = sk{B) 

? ? ? 

xe = dcCp(x5,X4),a;7 = f{x(i),xs = cnCp(.T7, 0:2) 

yo ^ A,yi^ B, y2 = pk{A), ys = pk{B) 

Z5 = n, Z6 = enCp(z5,Z3), 

? ? ? 

Z7 = f{Z5), Z8 = enCp(2;7, Z2), Zg = Zs} 

with the ordering: 

0<1<2<3<4<5'<6<7<8 
0*^ < . . . < 3*^ < 4' < . . . < 7' < 8 

The connection of two symbolic derivations Ci and C2 identifies variables in 
the input of one with variables in the output of the other. Variables that have 
been identified are removed from the input / output set of the resulting symbolic 
derivation C. The set of equality constraints of C is the union of the equality 
constraints in Ci and C2, plus equalities stemming from the identification of input 
and output. Wc have chosen to have a multiset of output variables to enable 
the modeler to specify whether a communication between two participants is 
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hidden — when the output state occurs only once in the initial output multiset — 
or visible — in which case there is more than one occurrence of the output state 
in the initial output multiset — to an external observer. 

One easily checks that a connection of two symbolic derivations is also a sym- 
bolic derivation. Also, the associativity of function composition applied on the 
connections implies the associativity of the connection of symbolic derivations. 
Since connection functions are bijective, we will also identify C o C' and C o C. 
Thus when we compose several symbolic derivations, we will freely re-arrange 
or remove parentheses. 

Traces. Let Ci and C2 be two I-symbolic derivations and 93 be a connection 
such that C — Ci C2 — (V, S, K., In, Out) is closed and satisfiable. Lemma 2] 
implies that there exists a unique ground substitution r in normal form such that 
any unifier a of iSi U 52 is equal to r on the image of V. We denote Trcio^C2 (C) 
the restriction of this substitution r to the variables in the sequence of C , for 
C G {Ci,C2,Ci C2}, and call it the trace of the connection on C. In the rest 
of this paper we will always assume that trace substitutions are in normal form. 

3.2 Solutions of symbolic derivations 
3.2.1 Honest and attacker symbolic derivations 

Generally speaking, a solution of a symbolic derivation C is any couple (C\ip) 
such that C C' is closed and satisfiable. We specialize this definition for the 
case of protocol analysis in order to ensure that every term possessed by the 
attacker, including her initial knowledge, has been either leaked by the protocol 
or is a nonce she has created. This consideration lead us to consider two types 
of symbolic derivations, one that is employed to model honest agents, and one 
to model an attacker. 

Honest derivations. We do not impose constraints on the symbolic deriva- 
tions representing honest principals, but for the avoidance of constants in an 
infinite set Cnew Q C. These constants are employed to model new values cre- 
ated by an attacker. We assume that nonces created by the honest agents are 
created at the beginning of their execution and are constants away from Cncw 

Definition 9 (Honest symbolic derivations) A symbolic derivation C is an hon- 
est symbolic derivation or HSD, if the constants occurring in C are away from 

Example 4 The symbolic derivation for role B in Example\^is honest. 

Attacker derivations. We consider an attacker modeled by a symbolic deriva- 
tion in which only the following actions are possible: 

• create a fresh, random value; 
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• receive from and send a message to one of the honest participant; 

• deduce a new message from the set of aheady known messages; 

• every state is in Out given that the intruder should be able to observe 
his own knowledge; 

• given that we consider an actual execution, the set of states is totally 
ordered. 

The definition of attacker symbolic derivations models these constraints: 

Definition 10 (Attacker symbolic derivations) Let C — (V, 5, A^, In, Out) be a 
symbolic derivation. It is an attacker symbolic derivation, or ASD, if a) iND 
is a total order, and b) OuT contains at least one occurrence of each index in 
Ind, and c) K, is a subset of C new 

The fact that the initial knowledge of the attacker is empty but for the 
nonces is not a restriction when analyzing protocols, as one can see from Ex. |31 

Example 5 The following derivation C is an ASD for the same deduction sys- 
tem as Example\Bi 



Ind' 


= {0',...,8} 


V 


= i' e Ind' h> 


K. 


= {n} C Cnew 


In' 


= {0',...,3',8'} 


Out' 


= {5'}UInd' 


S' 


= {z4 = n, Z5 = cncp(z4, Z3), 




Z6 = fiz4), zr = encp(z6, Z2), zs = zj} 



Informally the ASD expresses that the attacker receives some key k, creates a 
nonce n, sends the encrypted nonce to a role B as in Example Then the 
attacker tries to check that applying f to n gives a term equal to the decryption 
of B's response. 

Solutions of a symbolic derivation. Given a symbolic derivation Ch we 
denote the set of couples (C, (p) where C is an ASD and 1^9 is a connection 
function between C and Ch such that C/j o C is closed and satisfiable. In that 
case we say that C is a solution of Ch- 

Example 6 In Example the ASD C is a solution of Ch ° Ck since {Ch 
Ck) O0 C is closed and S is satisfiable (by simply propagating the equalities 
xo = A,xi = B, . . .). 
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3.3 Decision problems 



Satisfiability. The problem ol the existence of a secrecy attack on a bounded 
protocol execution — shown to be NP-complete in f3T] for the standard Dolev- 
Yao deduction system — is equivalent to the satisfiability problem below. 
I-Satisfiability 

Input: a HSD C 

Output: Sat iff 7^ 
A variant of X-satisfiability is its restriction to set of inputs C which are 
ground symbolic derivations, and that we call I-ground satisfiability. 
Ground I-Satisfiability 

Input: a ground HSD C 

Output: Sat iff C* 7^ 



Equivalence. Let us now define the equivalence of HSDs w.r.t. an active 
intruder. 

Definition 11 Two HSDs Ch and are symbohcally equivalent iff — C^*. 

I- Symbolic Equivalence 

Input: Two honest I-symbohc derivations Ch and 

Output: Sat iS Ch* ^ C',* . 
Again it is possible to define a ground version of the I-symbolic equivalence 
problem when the input consists in two ground symbolic derivations. One can 
easily encode static equivalence problems into ground I-Symbolic Equivalence 
problems by publishing every constant not hidden in the frame. 
Ground I-Symbolic Equivalence 

Input: Two honest I- ground symbohc derivations Ch and 

Output: Sat iS Ch* = C'f^* . 

Remark. Another possible definition of the set of solutions would be a set 
of ASDs, without mention of the connection function. The equivalence relation 
would have been distinct since in that case an ASD can be in two sets of solutions 
but without the same connection function. However, this would have had no 
impact on our decidability result. Our choice in this paper corresponds to 
diff-equivalence between biprocesses [TT]: the diff operator defines a bijection 
between the in- and output states of two processes derivations, and the equahty 
of the sets of solutions is understood modulo this one-to-one function. 



4 Finitary Deduction Systems 

An equational theory £ is finitary whenever every ^-unification system has a 
finite set of more general unifiers. We define an analog for deduction systems 
w.r.t. symbolic derivations rather than equational theories w.r.t. unification 
systems. In the rest of this paper, we consider effective finitary deduction 
systems, i.e. deduction systems for which it is possible to compute a finite 
set of "most general attacks" . 



17 



4.1 Stutter-free ASDs 



We say that an ASD Cx is well-formed w.r.t. a HSD Ch and a connection if, 
in the connection Ch o^pCx, a deduction subsequently apphed on a deduced term 
t, or a re-use of the term t is always applied by referring to the state in which t 
was first deduced. 

Definition 12 (Well-formed ASD) Let Ch be a HSD and consider an ASD 
Cx = (Vi,5i,/Ci, Inx, OuTi) such that {Cx,(p) € C^, and a = Trc^o^Ch (Ci). 
We say that Cx is (C/j, i^)-wcll- formed if for every deduction states i, for every 
state j G InDj with i < j we have Vi(i)CT = Vi(j)cr implies that 

• either Vx{i) — Vx{j), i-e. j is a re-use state; 

• or there is no equation x = /(... , Vi(j), . . .) in Sx and j is not an emission 
state. 

This restriction is mostly syntactic, and can be assumed w.l.o.g. for our 
purpose, as shown by the Lemma |51 

Our aim is the reduction of equivalence problems to reachability problems 
for finitary deduction systems. In the latter problems, one only considers which 
terms are deducible by the attacker. Hence the following definitions that will 
be employed to split an ASD into a deduction only part solving a reachability 
problem and a testing part modeling the possible tests. 

Definition 13 (Deduction- only ASD) An ASD Cx ^ (Vj, 5x, /Ci, Inj, OuTj) 
is deduction-only if Sx contains no equation Vi(i) — Vx{j)- 

Definition 14 (Testing ASD) An ASD Cx = (Vi, Sx, K-x, Inj, Outj) is testing 
iflCx = 9. 

Definition 15 (Stutter-free ASDs) A well-formed deduction- only ASD is said 
to be stutter-free. 

Given a HSD Ch we denote Ch^^ the set of stutter-free solutions of Ch- These 
ASDs have the special property that a connection cannot be unsatisfiable be- 
cause of a rejection by the attacker. Formally speaking, we have the following 
proposition. 

Proposition 1 Let Cx — (Vi, iSj, /Cj, Inj, OuTj) ^ C^ be a deduction- only 
ASD. Then for any ground substitution a of domain INj the unification system 
Sx<J is satisfiable in the empty theory. 

Proof. We remind that a uniGcation system S is in solved form in the 
empty theory if and only if there exists an ordering <„ on variables such that 
iS contains, for each variable x, at most one equation x = t and if for every 
y e Var(t) we have y <„ x. First let us notice that since Cx is deduction- only, 

Sx does not contain any equation Vi(i) = Vxij) with Vi(i) ^ Vi(j). 
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By deBnition Sx contains exactly one equation Vx{i) = t if i is not an input 
or the re-use of an input state, and none otherwise. In the former case we 
can assume that for a mgu 9 of S we have V{i)9 = V{i). Using the ordering 
on states as the ordering <„, Lemma\^ imphes that Sx is in solved form, and 

adding to Sx equations Vx{i) = ti, for i G Inj and ti a ground term thus leads 
to a unification system also in solved form. □ 

4.2 Sets of solutions 

Outline. We prove in tliis section that ASDs are such that, when replacing a 
constant in Cncw by the result of a sequence of compositions (this operation is 
called opening) we obtain another ASD which can be connected to all the HSDs 
the original ASD could be connected to (Lemma [5]). This notion of replacement 
acts as the instantiation of a unifier modulo an equational theory. Accordingly 
we define from it a well-founded ordering on ASDs mimicking the role of the 
instantiation ordering on unifiers. Finally, we prove that given a set of ASDs 
S, the inclusion S C can be check by testing only the minimal ASDs in S 
(Lemma [6]) . 

Opening of symbolic derivations. If C = (V, 5, /C, In, Out) and C C 
Cnow n /C is a set such such that C n Sub(/C \ C) = 0, we open C on C, and 
denote the operation openp(C), when for each c G C: 

• If i e Ind is the first knowledge state with V{i) = c e 5, we remove this 
equation from S and add i to the input states; 

• we replace all occurrences of c in C by V(i). 

We note that the set IC' obtained from JC after the replacement is still a set of 
ground terms since C n Sub(A^ \ C) = 0, and thus the result of the operation is 
still a symbolic derivation. Also, C is an ASD, then so is openp(C). 

Lemma 5 Let Cx e with Cx = {Vx,Sx, ICx, Inj, Outx), let C C ICx and let 
Cc G Cfi^^ for some HSD C^. If a connection Cc° ChO o^ienQiCx) is closed then 
it is satisfiable. 

Proof. By Proposition\I\Tr(;^oChOopcin^y{Cx)(^c) satisfies Sc- Since Cx is an 
ASD weiiave C n Sub (/C\C) = 0, and tiras C n Sub (5,0 = 0. Let us denote S^ 

the unification system Sx in which the equations x = c with c & C are removed. 
For any substitution a and any constant c ^ C, Lemma [5| and a )=£ Sh ° S'j^ 
imply crSc.t he Sh o S'x. 

Let a' = Trc^oCfcOopenc.(Cx)(^i)- ^'^^ each memory state i G Indx that con- 
tains a constant c G C we let tc — Vx{i)cr' . We define 6 as the replacement of 
each constant c € C by the term tc. 

By induction on the indexes of the connection Cc o Ch o openp(Ci) we have: 

Trc,oCfcOopcnc(Ci)(Cc oC,i oopen(;.(Cx)) = Trc^oCi(Ch oCx)6 
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Thus every equation in ShUSx (minus the removed memory equations) is satis- 
Red by the composition with Cc- Since every equation in its uniGcation system 
is satisfied the connection Cc° Ct ° openp(Cx) is satisGable. □ 

Ordering on symbolic derivations. Consider two symbolic derivations: 

/ Ci - (Vi,5i,/Ci,lNi,OuTi) 
\ Ci = (Vi,5i,/Ci,lNi,OuTi) 

We say tliat Cj < C'j if: 

• tliere exists C C K-x, a stutter- free symbolic derivation Cc and a connec- 
tion ip such that Cc o^p openp(Ci) — Cj modulo a renaming of variables; 

• or there exists a set of memory states / C InDj such that Cj is equal to 
q = (V^', S'i.lC'i, IN^, OUT^) where: 

— V'x is the restriction of Vj to the domain Ind^ \ / 

- and S'i = S'^ \ {Vi(^) ^ cj,e/. 

We say that Ci,Cj are equivalent modulo a renaming of nonces^ and denote 
Ci = C^, whenever there exists C C Kx, a stutter-free symbolic derivation Cc 
with only memory states, and a connection ip such that Cc °ip open(^(Cx) — C^- 
Given a set S of ASDs we denote min< (5) the set of ASDs in S that are minimal 
in S modulo renaming of nonces. 

Since C < C implies that either: a) C has strictly less deduction states 
than C, and less states, 6) C has strictly less states than C, c) or C and C are 
equivalent modulo a renaming of nonces, it is clear that < is a well-founded 
ordering relation modulo this renaming. 

Lemma 6 Let S he a set of ASDs and Ch he a HSD. If min^{S) C Ch* then 
ScCh". 

Proof. Assume min<(S') C Ch* and let Cx be in S. By dehnition of the 
ordering, first point, there exists a derivation C'j G min<(S'), a set of constants 
C, and a stutter-free derivation Cc such that CcOopen(^(Cj) — Cx- By hypothesis 
we have Cj e Ch* ■ By Lemma [5| this imphes that Cx ~ CcO openp(Cj) is also in 
Ch*. □ 

Complete sets of solutions. The ordering < plays the same role w.r.t. the 
solutions of a HSD as the instantiation ordering on substitutions w.r.t. the 
solutions of an unification system. In particular the traditional notion of most 
general unifier is translated into a notion of minimal solution. 

Definition 16 (Complete set of solutions) A set E of ASDs is a complete set 
of solutions of an HSD Ch whenever: 

• S C C*; 
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• for every ASD Cx G there exists an ASD Cm G 5] and a stutter free 
ASD Cc such that Cm <Cx°Cc- 

We have departed from our line of translating terms from the unification 
framework to the symbolic derivation framework by introducing a symbolic 
derivation Cc- It permits us to consider cases in which the computation of a 
complete set of unifiers introduces unnecessary deduction steps in individual 
ASDs. A common example of such addition is the normalization of messages 
(t, i'), i.e. the automatic deduction of the two messages t and t' even when they 
are not useful for the attacker. 

4.3 Finitary deduction systems 

We have already noted that a NP decision procedure for the satisfiability of 
HSDs for the Dolev-Yao deduction system is known since [31] . While this proce- 
dure is based on the guessing of an attack of minimal size, other procedures have 
been proposed [H [30] that instead cover all possible stutter- free derivations (TB] , 
i.e. compute a complete set of solutions. We define deduction systems for which 
such a procedure exists to be finitary. 

Definition 17 (Finitary Deduction Systems) Let T be a deduction system. If 
there exists a procedure that computes for every I-HSD Ch a finite complete set 
of solutions we say that X is a finitary deduction system. 

5 Decidability of Symbolic Equivalence 

This section is devoted to the proof of the main theorem of this paper. 

Theorem 1 Symbolic equivalence is decidable for finitary deduction systems. 

We first prove that every ASD can be written as the connection between a 
stutter- free ASD and a testing ASD in which no new term is deduced (Lemma[7]). 
This implies the reduction of the inclusion problem to the one of checking 
whether, for any stutter- free ASD in C^, the connections of this ASD with 
Ch and C'f^ result in closed symbolic derivations Ci and C2 such that C^ C 
(Lemma E} . Given a stutter-free ASD in this latter test is simple since it 
suffices to consider the connection with ASD that have at most one deduction 
(Prop.HD. 

We relate these types of ASD with well-formed ASDs with the following 
lemma. 

Lemma 7 LetCx be a {Ch,yy) -well- formed ASD. Then there exists a connection 
tp, a well-formed deduction- only ASD Ca, and a testing ASD Ct such that: 

• Cx = Cd Ct, 

• for all HSD C and connection ip, the connection C Cx is closed if, and 
only if C Cd is closed. 
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Proof. Let Ct he a HSD, d = (Vi, Sx, ICx, INi, Outj) bean ASD, and ip be 
a connection such that (Ci, (f) € C^. We construct a sequence of couples (Cd, Ct) 
of ASDs such that €4 is deduction-only, Ct is testing, and such that in the end 
Cd is well-formed. We start from: 

( Cd = (Vl,5i\5=,/Ci,lNi,OUTxUlNDx) 
\ Ct = (Vi,5=,0,lNDx,OUTi) 

and the connection ijj being the identity. By construction Ct is testing and Cd is 
deduction-only. However Cd may not be well-formed. 

For each deduction state i in Cd such that there exists a deduction state 

j < i with Vi{i)(j = Vi(j)cr, let S\i^(i) be the subset of equations of Sx in 
which Vx(*) occurs. Since i is a deduction state, Sy^(^i-j contains one equation 

Vx{i) = /{xi, ■ . ■ ,Xn). Since the ASD is well-formed, all other equations in 

S\)j-(i) are of the form Vxii) = VxiJ), and thus are already in <S=. We obtain a 
new couple of ASDs (C^, Cj) by removing the state i from Cd (and thus from the 
output variables of Cd, removing i from the input states of Ct, and adding the 
equation Vx{i) = f{xi, . ■ . , Xn) to the unification system of Ct, thereby making 
i a deduction state in Ct ■ 

It is clear that once the construction is performed on every deduction states 
from Cd, this symbolic derivation will be well-formed. □ 

Lemma 8 Let Ch,C'f^ he two HSDs such that CI \ C'^^* ^ 0. Then C^ \ C^* 
contains a [Ch, i^) -well- formed ASD. 

Proof. Assume [Cx,^) G CI \ C^*, and Cx = (Vx,5x, /Ci, Inx, Outx), and 
u = Trcxo^Cft(Cx)- By hypothesis a satisfies Sx. Let Si be the set of equations 

Vx{i) VxO) on all states i,j such that: a) i is a deduction state, and b) i < j, 
and c) Vx{i)(T = Vx{j)o'. It is clear that Sx U Si is also satisfied by a. 

Then, replace in Sx each equation x = /(..., VxO), •• •) such that there 
exists a deduction state i < j with Vx{i)o' = Vxijjcr by the equation x = 
/(..., Vx(i), •• ^'^'^ Sx' be the obtained unification system. Given the 
equations in Si it is clear that Sx U <Si and Sx' U <Si are satisfied by the same 
set of substitutions. 

Let Cx' = (Vx, Sx' U Si,K,x, Inx, Outx). It remains to note that: 

• Trcxo^Cft(Cx °,p Ch) = Trc3.'o^Cft(Ci' Ch); 

. Trc.o.c, (Cx C;) = Trc.'o^c, (Cx' C^), and thus {Cx', ^) ^ C'^; 

• by construction Cx is {Ch, (p)-well-formed. 

Thus, Cx is {Ch, ip)-well-formcd ASD in C,* \ C^*. □ 

As a consequence, we obtain the following lemma that permits to split the 
symbolic equivalence problem into two simpler problems. 
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Lemma 9 Let Ch and C'/^ be two HSDs. We have C^ C C,'* if, and only if: 

/^sf r- nt* . 

• and for each ASD Cx G C^h '^'^^ /'^'^ testing ASD Ct G {Cx ° Ch)* we 
have Ct £ {Cx o C'J* ■ 

Proof. Assume {Cx,ip) G \ C^*- By Lemma [S] we can assume wlog that 
Cx = (Vi, iSi, /Ci, Inj, OUTx) is well-formed. By Lemma\^Cx can be written 
Cd °ip Ct where Cd is a stutter-free ASD and Ct is a testing ASD. By construction 
we have {Ct,ip) G {Cd Ch)*- Since Cd Ct = Cx ^ C'f^* then either Cd 
is closed, but not satisfiable, or Ct {Cd C^). In the former case we have 
Cf! 2 C;*, and in the latter case we have Ct £ {Cx o Ch)* \ {Cx o C',X- 

Conversely, if one of the two points does not hold, we easily construct an 
ASDinCl\C'*. □ 

Then we prove that if in the previous lemma the testing part is known, the 
stutter-free part is also a stutter-free solution of the connection between the 
testing part and the HSD. 

Lemma 10 Assume Cx G Cf and Ct G {Cx o Cn)* ■ Then Cx G {Ct o Ch)''^- 

Proof. We let Cx, Ch, and Ct be as in the statement of the lemma, and denote 
them as follows: 

Cx = (Vx,5i,/Ci, lNi,OuTi) 

Ch = {Vh,Sh,ICh,lNh,OUTh) 

Ct = (Vt,5t,/Ct,lNt,OuT0 

Since Cx G C^ there exists a one-to-on^ mapping ip : Inj U In^ — > OuTj U 
OUT/i such that C'f^ ~ Cx Ch is closed and satisfiable. Let us denote C'f^ = 

(v;„5,;,/c;,k,out'j. 

Also by hypothesis there exists a one-to-one mapping tp : iNj^UlNt — > OutJ^U 
OuTt sucii that Ct C'l^ is closed and satisfiable. Since C'f^ is closed the function 
ijj is actually a mapping from iNt to Out'^ U OuTt. Let D be the subset of the 
domain of i/j of indexes i such that ip{i) G OuTj, and D be its complement in 
the domain of tp. Let us define from ip and D two functions: 

Let C'fl = Ch o-ip' Ct ■ Since by construction 

Cx °ip' {Ch °ii>' Ct) — Ct {Ch Cx) 

and Ct G {Ch Cx)* the connection between Cx and C'l^ is also closed and 
satisfiable, and thus Cx G (C^')*. Since Cx G C^ the first two points of the 
definition of stutter free derivations are satisfied by Cx- Given that: 

I 

"■^iNhUlNi ~ '■^iNftUlNz 
^ Since the connection is closed the mapping is total. 
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it is easy to see that: 



Trcxo^,(ChO^,Ct)(Ci) - Trcio^,c^(Ci) 
As a consequence the hypothesis Ci E Cf^ impUes Cj G {C'llY^. 



□ 



The next step is to bound the size of the testing ASD Ct obtained in LemmaHl 
To this end, given an ASD Cx £ Cf/ we define: 



i.e. the set of testing ASDs that distinguish Ch from C^. By Lemmaini ^ C^* 
if, and only if, there exists an ASD Ci such that xi^i) 7^ 0- By ordering the 
equations in the unification system of an ASD Ct G xi^i) ^^'^ keeping a minimal 
one, we prove that an ASD of bounded length can be constructed from Ct ■ 

Proposition 2 C,* ^ C^* if, and only if, there exists Ci £ Cf/ such that x(Ci) 
contains an ASD Ct with at most one deduction and one equality test. 

Proof. The converse direction is trivial. 

First let us note that if C £ C^\ C^* then, adding test equations to C which 
are satisfied by Trc'oCh(C) yields another symbolic derivation in C £ C,* \ C^*. 
Thus and wlog we let C G C*^\ C^* be an aware ASD. According to Lemma [3 
C can be split into one stutter-free derivation Cx = (Vi, 5i, AI^j, Inj, OuTx) 
and one test derivation Ct — ( Vt , 5t , /Cf , INj , OuTt). We also define a partition 
St U St of St such that Sf contains only deduction equations and St contains 
only test equations. Let Cf = {Vt,Sf, K-t, Inj, OuTf ). Let us define the following 
substitutions: 



where the ASD C't is constructed from Ct as follows. We note that, if Vt(i) = 
Vt(j) for two distinct states i,j which are not reuse states, we can introduce 
a new variable x, change Vt{j) to x, and introduce in St a new test equation 

Vt{i) = X. In other words we can assume wlog that Vt is injective on states 
which are not reuse states. This permits one to ensure that the subset Sf of 
equations which are not test equations is satisfiable in any closed connection 
with another symbolic derivation. We define af — Tr^-d^^-^^i^, (Ct). 

By the second point of Lemma Q there exists a mapping ip : iNDf Indj 
such that for every i G iNDf we have Vt{i)crt — Vx{ip{i))ax. Wlog we assume 
that is defined as an extension of the connection between Cx and Ct, thereby 
ensuring that for input states i of Ct we also have Vt{i)(J^ = Vx{ip{i))<7'x- 

Claim 1. Wlog we can assume that for any deduction state i G iNDt we have 



x(Ci) = {Ct testing ASD | CtoCxE Cl \ Cf} 





Vt{i)<j't^vx{mvx- 
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Proof of the claim. Let i £ iNDt be a deduction state such that Vt(j)(Tj = 
Vi('(/'(«))cj. Adding a reuse state if necessary, we can change i into an 
input state that is connected to ip{t) (or a state which is a reuse ofipii))- 
This construction does not change at nor a[ and thus the fact that Ct o 
CxoCh orCtoCxoC'f^ is satisfiable. When repeatedly applying it, we obtain 
a symbolic derivation Ct that satisfies the claim. 

We now split the analysis in two cases depending on whether the set It C 
iNDt of indexes i such that Vt{i)a-[ ^ Vi(?A(i))CTj is empty or not. If it is 
empty, the claim implies that we can assume there is no deduction states in 
Ct, and thus that St — Si. Since Ct o Ci o Ch is satisfiable but not Ct o Cx o C'f^ 

tJiere exists two input states i,j and one equation Vt{i) = Vt(j) in St which 
is satisfied by at but not by a't. Thus x{Ci) contains one symbolic derivation 

7 

(V : I G {1, 2} 1-^ Xi, {xi = X2}, 0, {1, 2}, 0) where 1 is connected to ip{i) and 2 
is connected to 

On the other hand, if It is not empty, let io be minimal in this set, and let 

Vt(jo) = /(Vt(ji ),..., Vt(«„)) be the equation corresponding to this deduction 
state in St. Given the claim we can assume that it is the first deduction state, 
and thus that all preceding states are input states. Thus there exists an ordering 
on the set Indq = {t,0, . . . ,n} such that the following symbolic derivation is in 
x(Ci) and satisfies the proposition: 



Now we simply gather the resuhs from Lemma [TU] and Proposition [2] 

Proposition 3 Given two HSDs Ch and C'y^ we have C C^* if, and only if, 
there exists a symbolic testing derivation Ct with at most one deduction state 
and one equality and a connection (p such that (Ch °ip CtY^ C (C;j Ct)* . 

Proof. Let us first prove the contrapositive of the direct direction. Let Cx be 
an ASD in {Ch Ctf'^ \ {C\^ Ct)*, and ip be a connection such that: 



From if and ij) we easily define two connections (p' and ip' such that Cx 0^1 Ct 
is an ASD Cj such that Cj o^/ Ch is closed and satisfiable whereas Cj o^/ is 
closed but not satisfiable. Hence: 



(y :ie iNDo ^ Xj, {xo = f{xi 



...,Xn) , xq= xt}, {*,!,..., n}, 0) 



□ 




is closed and satisfiable 
is closed and not satisfiable 



iChO^Ctf\Ko^Ctr ^9 



implies CI % C'^*. 
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Let us now prove the contrapositive of the converse imphcation and assume 
Cf^ 2 C'l*. By Proposition\2\there exists a symbohc derivation Cj S Cf^, a testing 
ASD Ct and a connection ip such that: 

{Ct Ci e Ch* 
Ct Ci (f. C'l* 
Ct contains at most one deduction and one equaUty test 

By Lemma [TD| this imphes that there exists a connection if such that Ci S 
[Ch CtY^- Given the construction it is clear that Ci ^ (C^ Ct)* ■ □ 

The proof of the foUowing theorem depends on the fact that for finitary 
deduction systems, the set min<((Ct o ChY^) is by definition finite. The test of 
Proposition [3] thus becomes effective by Lemma [5] when a finite witness set is 
available. 

Theorem 2 (Inclusion of C^ into C'^* ) Let D be a finitary deduction system. 
The inclusion C^ C C^* is decidable for any two honest D-symholic derivations 
Ch,C'^. 

Proof. By Prop. O the inclusion does not hold if, and only if, there exists an 
ASD Ct of bounded length and a connection function ip such that: 

A = (C„ o^Ctf\K o^Ctr^D 

Let Ct be an ASD in A. By dehnition of finitary deduction systems one can 
compute from Ch °ip Ct a finite set T, of ASDs such that there exists Co- G S and 
Cc stutter free such that Cj < Ci o Cc- By definition of the ordering there exists 
a stutter free derivation Ce and a set of constants C such that: 

open(j{Cc) o Ce = Cr o Cc 

By hypothesis there exists a connection function ip such that Ct {Ch °^ Ct) is 
closed and satisfiahle whereas Ct {C'^ Ct) is closed but not satisfiable. By 
Lemma O (employed with C = 0j Cc o [Ct [Ch o^p Ct)) is satishable whereas, 
since Ct o0 {C/^ Ct) is closed, Cc o {Ct o-4> (C^ Ct)) is not. By Lemma\S\ if 
Ca e C'f^* then so is Cc o {Ct [C^ Ct)). Since C G S implies Ca e [Ch Ct)* 
we thus have Ca & [Ch Ct)* \ [C'f^ Ct)* . Thus, if Ch 2 one can guess 
(in bounded time) a symbolic derivation Ct and compute a finite S of symbolic 
derivations that contains one which is not in [C'f^ o Ct)* . 

Conversely it is clear if one such derivation is found then ^ C'/^^ . □ 

As a trivial consequence we obtain the announced theorem. 

Theorem [T], p. I21i Symbolic equivalence is decidable for finitary deduction 
systems. 
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6 Conclusion 



We have introduced in this paper the notion of finitary deduction systems, and 
proved that symbohc equivalence is decidable for such attacker models. We 
believe that definition also captures the essence of lazy intruder techniques that 
are employed in many tools. Accordingly, we believe that a practical conse- 
quence of this paper will be the inclusion in existing reachability analysis tools 
of a symbolic equivalence checking algorithm. 

In terms of comparison of expected runtimes for tools currently deciding 
reachability, a back-of-the-enveloppe computation for tools employing lazy con- 
straint solving techniques such as OFMC J. and CL-AtSe ^36j would be twice 
(given that two protocols have to be analyzed and assuming tool is not paral- 
lelized) the runtime for safe (since these tools usually stop at the first attack 
found, and thus typically have a much shorter running time in these cases) pro- 
tocols of a similar size. We refer the interested reader to jSG^ for more details, 
but given that CL-AtSe now implements a concurrent search algorithm and has 
been deployed on Amazon's EC2, we believe that less than 10s for reasonable 
industrial protocols is achievable nowadays. 
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